Configuring multicast stream limits

Limit the number of multicast streams to protect the CPU from multicast data packet bursts generated by malicious applications, such as viruses that cause the CPU to reach 100 percent utilization or that prevent the CPU from processing protocol packets or management requests. If more than a certain number of multicast streams ingress to a CPU through a port during a sampling interval, the port shuts down until you take appropriate action.

About this task

You can enable or disable the mroute stream limit for the entire device or for individual ports when the switch is operating. If you enable the mroute stream limit for the device and for an individual port, only the periodic check is performed for that port.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Enable stream limitation globally:

    ip mroute stream-limit

  3. Enter GigabitEthernet Interface Configuration mode.

    interface gigabitethernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

  4. Enable stream limits:

    ip mroute stream-limit

  5. For Gigabit Ethernet interfaces, configure the maximum number of streams and the interval at which to sample:

    ip mroute max-allowed-streams <1–32768> max-allowed-streams-timer-check <1–3600>

  6. Show the mroute stream limit configuration:

    show ip mroute interface gigabitethernet [{slot/port[/sub-port][-slot/port[/sub-port]][,...]}]

Example

Switch:1(config)#ip mroute stream-limit
Switch:1(config)#interface gigabitethernet 3/6
Switch:1(config-if)#ip mroute stream-limit
Switch:1(config-if)#ip mroute max-allowed streams 1000 max-allowed-streams-timer-check 20

Variable definitions

Use the data in the following table to use the interface command.

Variable

Value

<1-4059>

Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN IDs 1 to 4059 are configurable and the system reserves VLAN IDs 4060 to 4094 for internal use. On switches that support the vrf-scaling and spbm-config-mode boot configuration flags, if you enable these flags, the system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default VLAN and you cannot create or delete VLAN ID 1.

{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

Use the data in the following table to use the ip mroute command.

Variable

Value

max-allowed-streams <1–32768>

Configures the maximum number of streams on the specified port. The port is shut down if the number of streams exceeds this limit. The value is a number between 1–32768. The default value is 1984 streams. To configure this option to the default value, use the default operator with the command.

max-allowed-streams-timer-check <1–3600>

Configures the sampling interval, which checks if the number of ingress multicast streams to the CPU is under a configured limit or if the port needs to shut down. The range is between 1–3600. The default value is 10 seconds. To configure this option to the default value, use the default operator with the command.

Job aid

The following message appears if the system shuts down the port due to excessive multicast streams:

Shutdown port <port> due to excessive multicast streams <# of streams ingressed>; Configured limit max streams <configured limit> in <configured sampling interval> sec. Please disable and re-enable the port.

The following table shows the field descriptions for the show ip mroute interface command.

Table 1. show ip mroute interface field descriptions

Field

Description

PORT

Indicates the slot and port number.

MROUTE STR LIMIT

Indicates the maximum number of multicast streams that can enter the CPU through this port.

MROUTE STR LIMIT TIMER

Indicates the sampling period (in seconds) to check the number of multicast streams that enter the CPU through this port.

ENABLE

Indicates the status of the mroute stream limit on the port.